I'd say you want a WAF. By the time any IDS (HIDS or NIDS) has reported it is way too late. OSSEC is not a WAF.
-- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Francis Akeyo Sent: Tuesday, July 05, 2011 01:32 To: ossec-list Subject: [ossec-list] Extract HTTP requests for active request Sending Apache log files to OSSEC server from various client systems and want to extract non authorized HTTP requests such as CONNECT and PUT, e.g. will allow GET and POST only. How can I write a customer rule to extract this request as all attempts to use <url> only seem to capture the path and not the HTTP request?
